mod-security-users

I have installed 2.7 and have enabled the HTTP:BL rule in a local conf file using:
# Project HoneyPot
SecHttpBlKey XXXXXXXXX
SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org" "phase:1,t:none,log,allow,msg:'HTTPBL Match of Client IP.'"
Once httpd was re-started I began to see in error.log:
[Wed Jul 20 17:40:30 2011] [error] [client XXX.XXX.XXX.XXX] ModSecurity: Access allowed (phase 1). RBL lookup of XXXXXXXXXXXXXX.dnsbl.httpbl.org succeeded at REMOTE_ADDR. Search Engine: 0 days since last activity, threat score 5 [file "/usr/local/apache/conf/modsecurity.d/local/00_localrules.conf"] [line "14"] [msg "HTTPBL Match of Client IP."] [hostname "www.XXXXXXX.com"] [uri "/sitemap-xml.html"] [unique_id "TicE-k1JBusAAFw70-cAAAAG"]
If I had left the rule as block then this connection would not have been allowed? as it would appear that a score of 5 is referred to as low in the eyes of HTTP:BL and the IP address is not even listed when you query it. Or does the block only trigger when the threat score is within a certain threshold ?
--
Thanks,
Organic Spider | Weaving Open Source Technology

I think you want to use "pass" vs. "allow" during testing. Pass will
process the rule and alert but it will not trigger any disruptive actions.
By using allow, you are allowing the request to bypass further
ModSecurity inspection if the @rbl check returns true.
We will also look at possibly updating the @rbl operator check to be able
to capture the returned BL msg data which would then allow you to chain
the rule and do further inspection based on the BL's "threat score".
-Ryan
On 7/20/11 12:44 PM, "Organic Spider" <webmaster@...>
wrote:
>I have installed 2.7 and have enabled the HTTP:BL rule in a local conf
>file using:
>
># Project HoneyPot
>SecHttpBlKey XXXXXXXXX
>SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org"
>"phase:1,t:none,log,allow,msg:'HTTPBL Match of Client IP.'"
>
>Once httpd was re-started I began to see in error.log:
>
>[Wed Jul 20 17:40:30 2011] [error] [client XXX.XXX.XXX.XXX] ModSecurity:
>Access allowed (phase 1). RBL lookup of XXXXXXXXXXXXXX.dnsbl.httpbl.org
>succeeded at REMOTE_ADDR. Search Engine: 0 days since last activity,
>threat score 5 [file
>"/usr/local/apache/conf/modsecurity.d/local/00_localrules.conf"] [line
>"14"] [msg "HTTPBL Match of Client IP."] [hostname "www.XXXXXXX.com"]
>[uri "/sitemap-xml.html"] [unique_id "TicE-k1JBusAAFw70-cAAAAG"]
>
>If I had left the rule as block then this connection would not have been
>allowed? as it would appear that a score of 5 is referred to as low in
>the eyes of HTTP:BL and the IP address is not even listed when you query
>it. Or does the block only trigger when the threat score is within a
>certain threshold ?
>--
>Thanks,
>Organic Spider | Weaving Open Source Technology
>
>--------------------------------------------------------------------------
>----
>10 Tips for Better Web Security
>Learn 10 ways to better secure your business today. Topics covered
>include:
>Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
>security Microsoft Exchange, secure Instant Messaging, and much more.
>http://www.accelacomm.com/jaw/sfnl/114/51426210/
>_______________________________________________
>mod-security-users mailing list
>mod-security-users@...
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php

Ryan,
Am I right in thinking that if a threat score is returned, even if classed as low and does not even qualify as a HoneyPot IP, then the rule I am testing would have blocked the connection ?
--
Thanks,
Organic Spider | Weaving Open Source Technology
----- Original Message -----
From: "Ryan Barnett" <ryan.barnett@...>
To: "Organic Spider" <webmaster@...>, mod-security-users@...
Sent: Wednesday, 20 July, 2011 5:53:36 PM
Subject: Re: [mod-security-users] HTTP:BL
I think you want to use "pass" vs. "allow" during testing. Pass will
process the rule and alert but it will not trigger any disruptive actions.
By using allow, you are allowing the request to bypass further
ModSecurity inspection if the @rbl check returns true.
We will also look at possibly updating the @rbl operator check to be able
to capture the returned BL msg data which would then allow you to chain
the rule and do further inspection based on the BL's "threat score".
-Ryan
On 7/20/11 12:44 PM, "Organic Spider" <webmaster@...>
wrote:
>I have installed 2.7 and have enabled the HTTP:BL rule in a local conf
>file using:
>
># Project HoneyPot
>SecHttpBlKey XXXXXXXXX
>SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org"
>"phase:1,t:none,log,allow,msg:'HTTPBL Match of Client IP.'"
>
>Once httpd was re-started I began to see in error.log:
>
>[Wed Jul 20 17:40:30 2011] [error] [client XXX.XXX.XXX.XXX] ModSecurity:
>Access allowed (phase 1). RBL lookup of XXXXXXXXXXXXXX.dnsbl.httpbl.org
>succeeded at REMOTE_ADDR. Search Engine: 0 days since last activity,
>threat score 5 [file
>"/usr/local/apache/conf/modsecurity.d/local/00_localrules.conf"] [line
>"14"] [msg "HTTPBL Match of Client IP."] [hostname "www.XXXXXXX.com"]
>[uri "/sitemap-xml.html"] [unique_id "TicE-k1JBusAAFw70-cAAAAG"]
>
>If I had left the rule as block then this connection would not have been
>allowed? as it would appear that a score of 5 is referred to as low in
>the eyes of HTTP:BL and the IP address is not even listed when you query
>it. Or does the block only trigger when the threat score is within a
>certain threshold ?
>--
>Thanks,
>Organic Spider | Weaving Open Source Technology
>
>--------------------------------------------------------------------------
>----
>10 Tips for Better Web Security
>Learn 10 ways to better secure your business today. Topics covered
>include:
>Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
>security Microsoft Exchange, secure Instant Messaging, and much more.
>http://www.accelacomm.com/jaw/sfnl/114/51426210/
>_______________________________________________
>mod-security-users mailing list
>mod-security-users@...
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php

Yes, I believe that if the @rbl operator check returns true (meaning that
the remote RBL had a DNS match) then the rule matches and the action would
be applied. As I stated in the previous email - I think that we could
probably improve the @rbl check for the dnsbl.httpbl.org list so that we
can capture the returned match data and save in a TX:0 variable so that
you can the inspect that data in a subsequent chained SecRule. This would
allow you to verify the actual threat score assigned to the IP by Project
Honeypot's HTTPBL.
-Ryan
On 7/20/11 2:53 PM, "Organic Spider" <webmaster@...> wrote:
>Ryan,
>
>Am I right in thinking that if a threat score is returned, even if
>classed as low and does not even qualify as a HoneyPot IP, then the rule
>I am testing would have blocked the connection ?
>--
>Thanks,
>Organic Spider | Weaving Open Source Technology
>----- Original Message -----
>
>From: "Ryan Barnett" <ryan.barnett@...>
>To: "Organic Spider" <webmaster@...>,
>mod-security-users@...
>Sent: Wednesday, 20 July, 2011 5:53:36 PM
>Subject: Re: [mod-security-users] HTTP:BL
>
>I think you want to use "pass" vs. "allow" during testing. Pass will
>process the rule and alert but it will not trigger any disruptive
>actions.
>By using allow, you are allowing the request to bypass further
>ModSecurity inspection if the @rbl check returns true.
>
>We will also look at possibly updating the @rbl operator check to be able
>to capture the returned BL msg data which would then allow you to chain
>the rule and do further inspection based on the BL's "threat score".
>
>-Ryan
>
>On 7/20/11 12:44 PM, "Organic Spider" <webmaster@...>
>wrote:
>
>>I have installed 2.7 and have enabled the HTTP:BL rule in a local conf
>>file using:
>>
>># Project HoneyPot
>>SecHttpBlKey XXXXXXXXX
>>SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org"
>>"phase:1,t:none,log,allow,msg:'HTTPBL Match of Client IP.'"
>>
>>Once httpd was re-started I began to see in error.log:
>>
>>[Wed Jul 20 17:40:30 2011] [error] [client XXX.XXX.XXX.XXX] ModSecurity:
>>Access allowed (phase 1). RBL lookup of XXXXXXXXXXXXXX.dnsbl.httpbl.org
>>succeeded at REMOTE_ADDR. Search Engine: 0 days since last activity,
>>threat score 5 [file
>>"/usr/local/apache/conf/modsecurity.d/local/00_localrules.conf"] [line
>>"14"] [msg "HTTPBL Match of Client IP."] [hostname "www.XXXXXXX.com"]
>>[uri "/sitemap-xml.html"] [unique_id "TicE-k1JBusAAFw70-cAAAAG"]
>>
>>If I had left the rule as block then this connection would not have been
>>allowed? as it would appear that a score of 5 is referred to as low in
>>the eyes of HTTP:BL and the IP address is not even listed when you query
>>it. Or does the block only trigger when the threat score is within a
>>certain threshold ?
>>--
>>Thanks,
>>Organic Spider | Weaving Open Source Technology
>>
>>-------------------------------------------------------------------------
>>-
>>----
>>10 Tips for Better Web Security
>>Learn 10 ways to better secure your business today. Topics covered
>>include:
>>Web security, SSL, hacker attacks & Denial of Service (DoS), private
>>keys,
>>security Microsoft Exchange, secure Instant Messaging, and much more.
>>http://www.accelacomm.com/jaw/sfnl/114/51426210/
>>_______________________________________________
>>mod-security-users mailing list
>>mod-security-users@...
>>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>ModSecurity Services from Trustwave's SpiderLabs:
>>https://www.trustwave.com/spiderLabs.php
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

As a follow-up - Breno Silva pointed out to me that the @rbl operator
already saves the RBL returned msg data with the TX variable. So, with
this info, you can use this updated ruleset to inspect the returned data
and evaluate the "threat score" and then decide if you want to block or
not -
SecRule TX:REAL_IP|ARGS:REMOTE_ADDR "@rbl dnsbl.httpbl.org"
"chain,phase:1,t:none,capture,block,msg:'HTTPBL Match of Client
IP.',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=%{tx.0}"
SecRule TX:0 "threat score (\d+)" "chain,capture"
SecRule TX:1 "@gt 20"
This rule will capture the threat score and then the last SecRule
evaluates it and will only match if it is greater than 20 points. You can
adjust the threshold to whatever you want.
This would generate an alert similar to this -
[Wed Jul 20 15:53:26 2011] [error] [client 127.0.0.1] ModSecurity:
Warning. Operator GT matched 20 at TX:1. [file
"/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.
conf"] [line "2"] [msg "HTTPBL Match of Client IP."] [data "RBL lookup of
xxxxxxxxxxxx.41.75.92.188.dnsbl.httpbl.org succeeded at REMOTE_ADDR.
Suspicious comment spammer IP: 1 days since last activity, threat score
63"] [hostname "localhost"] [uri "/cgi-bin/printenv"] [unique_id
"TicyNsCoAWsAAKslGIAAAAAB"]
Cheers,
Ryan
On 7/20/11 2:53 PM, "Organic Spider" <webmaster@...> wrote:
>Ryan,
>
>Am I right in thinking that if a threat score is returned, even if
>classed as low and does not even qualify as a HoneyPot IP, then the rule
>I am testing would have blocked the connection ?
>--
>Thanks,
>Organic Spider | Weaving Open Source Technology
>----- Original Message -----
>
>From: "Ryan Barnett" <ryan.barnett@...>
>To: "Organic Spider" <webmaster@...>,
>mod-security-users@...
>Sent: Wednesday, 20 July, 2011 5:53:36 PM
>Subject: Re: [mod-security-users] HTTP:BL
>
>I think you want to use "pass" vs. "allow" during testing. Pass will
>process the rule and alert but it will not trigger any disruptive
>actions.
>By using allow, you are allowing the request to bypass further
>ModSecurity inspection if the @rbl check returns true.
>
>We will also look at possibly updating the @rbl operator check to be able
>to capture the returned BL msg data which would then allow you to chain
>the rule and do further inspection based on the BL's "threat score".
>
>-Ryan
>
>On 7/20/11 12:44 PM, "Organic Spider" <webmaster@...>
>wrote:
>
>>I have installed 2.7 and have enabled the HTTP:BL rule in a local conf
>>file using:
>>
>># Project HoneyPot
>>SecHttpBlKey XXXXXXXXX
>>SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org"
>>"phase:1,t:none,log,allow,msg:'HTTPBL Match of Client IP.'"
>>
>>Once httpd was re-started I began to see in error.log:
>>
>>[Wed Jul 20 17:40:30 2011] [error] [client XXX.XXX.XXX.XXX] ModSecurity:
>>Access allowed (phase 1). RBL lookup of XXXXXXXXXXXXXX.dnsbl.httpbl.org
>>succeeded at REMOTE_ADDR. Search Engine: 0 days since last activity,
>>threat score 5 [file
>>"/usr/local/apache/conf/modsecurity.d/local/00_localrules.conf"] [line
>>"14"] [msg "HTTPBL Match of Client IP."] [hostname "www.XXXXXXX.com"]
>>[uri "/sitemap-xml.html"] [unique_id "TicE-k1JBusAAFw70-cAAAAG"]
>>
>>If I had left the rule as block then this connection would not have been
>>allowed? as it would appear that a score of 5 is referred to as low in
>>the eyes of HTTP:BL and the IP address is not even listed when you query
>>it. Or does the block only trigger when the threat score is within a
>>certain threshold ?
>>--
>>Thanks,
>>Organic Spider | Weaving Open Source Technology
>>
>>-------------------------------------------------------------------------
>>-
>>----
>>10 Tips for Better Web Security
>>Learn 10 ways to better secure your business today. Topics covered
>>include:
>>Web security, SSL, hacker attacks & Denial of Service (DoS), private
>>keys,
>>security Microsoft Exchange, secure Instant Messaging, and much more.
>>http://www.accelacomm.com/jaw/sfnl/114/51426210/
>>_______________________________________________
>>mod-security-users mailing list
>>mod-security-users@...
>>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>ModSecurity Services from Trustwave's SpiderLabs:
>>https://www.trustwave.com/spiderLabs.php

Very neat indeed! Thank you Ryan and Breno.
--
Thanks,
Organic Spider | Weaving Open Source Technology
----- Original Message -----
From: "Ryan Barnett" <ryan.barnett@...>
To: "Organic Spider" <webmaster@...>
Cc: mod-security-users@...
Sent: Wednesday, 20 July, 2011 8:59:05 PM
Subject: Re: [mod-security-users] HTTP:BL
As a follow-up - Breno Silva pointed out to me that the @rbl operator
already saves the RBL returned msg data with the TX variable. So, with
this info, you can use this updated ruleset to inspect the returned data
and evaluate the "threat score" and then decide if you want to block or
not -
SecRule TX:REAL_IP|ARGS:REMOTE_ADDR "@rbl dnsbl.httpbl.org"
"chain,phase:1,t:none,capture,block,msg:'HTTPBL Match of Client
IP.',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=%{tx.0}"
SecRule TX:0 "threat score (\d+)" "chain,capture"
SecRule TX:1 "@gt 20"
This rule will capture the threat score and then the last SecRule
evaluates it and will only match if it is greater than 20 points. You can
adjust the threshold to whatever you want.
This would generate an alert similar to this -
[Wed Jul 20 15:53:26 2011] [error] [client 127.0.0.1] ModSecurity:
Warning. Operator GT matched 20 at TX:1. [file
"/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.
conf"] [line "2"] [msg "HTTPBL Match of Client IP."] [data "RBL lookup of
xxxxxxxxxxxx.41.75.92.188.dnsbl.httpbl.org succeeded at REMOTE_ADDR.
Suspicious comment spammer IP: 1 days since last activity, threat score
63"] [hostname "localhost"] [uri "/cgi-bin/printenv"] [unique_id
"TicyNsCoAWsAAKslGIAAAAAB"]
Cheers,
Ryan
On 7/20/11 2:53 PM, "Organic Spider" <webmaster@...> wrote:
>Ryan,
>
>Am I right in thinking that if a threat score is returned, even if
>classed as low and does not even qualify as a HoneyPot IP, then the rule
>I am testing would have blocked the connection ?
>--
>Thanks,
>Organic Spider | Weaving Open Source Technology
>----- Original Message -----
>
>From: "Ryan Barnett" <ryan.barnett@...>
>To: "Organic Spider" <webmaster@...>,
>mod-security-users@...
>Sent: Wednesday, 20 July, 2011 5:53:36 PM
>Subject: Re: [mod-security-users] HTTP:BL
>
>I think you want to use "pass" vs. "allow" during testing. Pass will
>process the rule and alert but it will not trigger any disruptive
>actions.
>By using allow, you are allowing the request to bypass further
>ModSecurity inspection if the @rbl check returns true.
>
>We will also look at possibly updating the @rbl operator check to be able
>to capture the returned BL msg data which would then allow you to chain
>the rule and do further inspection based on the BL's "threat score".
>
>-Ryan
>
>On 7/20/11 12:44 PM, "Organic Spider" <webmaster@...>
>wrote:
>
>>I have installed 2.7 and have enabled the HTTP:BL rule in a local conf
>>file using:
>>
>># Project HoneyPot
>>SecHttpBlKey XXXXXXXXX
>>SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org"
>>"phase:1,t:none,log,allow,msg:'HTTPBL Match of Client IP.'"
>>
>>Once httpd was re-started I began to see in error.log:
>>
>>[Wed Jul 20 17:40:30 2011] [error] [client XXX.XXX.XXX.XXX] ModSecurity:
>>Access allowed (phase 1). RBL lookup of XXXXXXXXXXXXXX.dnsbl.httpbl.org
>>succeeded at REMOTE_ADDR. Search Engine: 0 days since last activity,
>>threat score 5 [file
>>"/usr/local/apache/conf/modsecurity.d/local/00_localrules.conf"] [line
>>"14"] [msg "HTTPBL Match of Client IP."] [hostname "www.XXXXXXX.com"]
>>[uri "/sitemap-xml.html"] [unique_id "TicE-k1JBusAAFw70-cAAAAG"]
>>
>>If I had left the rule as block then this connection would not have been
>>allowed? as it would appear that a score of 5 is referred to as low in
>>the eyes of HTTP:BL and the IP address is not even listed when you query
>>it. Or does the block only trigger when the threat score is within a
>>certain threshold ?
>>--
>>Thanks,
>>Organic Spider | Weaving Open Source Technology
>>
>>-------------------------------------------------------------------------
>>-
>>----
>>10 Tips for Better Web Security
>>Learn 10 ways to better secure your business today. Topics covered
>>include:
>>Web security, SSL, hacker attacks & Denial of Service (DoS), private
>>keys,
>>security Microsoft Exchange, secure Instant Messaging, and much more.
>>http://www.accelacomm.com/jaw/sfnl/114/51426210/
>>_______________________________________________
>>mod-security-users mailing list
>>mod-security-users@...
>>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>ModSecurity Services from Trustwave's SpiderLabs:
>>https://www.trustwave.com/spiderLabs.php